[openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.
>I prefer more generic method similar to ENGINE_load_ssl_client_cert, i.e. I need EVP keys, > corresponding certificates and the certificate chain. Additional methods has "server" in it's names for the same reason why "ENGINE_load_ssl_client_cert" has "client" in it. ENGINE_load_server_certificate() intended to work in pair with ENGINE_load_private_key() to allow engine to load certificate correspondent to it's private key. And present obtained certificate to client during SSL handshake. That it. You can always get required EVP_PKEY keys from loaded X509 structure. But I can't get why you may need certificate chain for your certificate if you are server. Andrey >I prefer more generic method similar to ENGINE_load_ssl_client_cert, i.e. I need EVP keys, > corresponding certificates and the certificate chain. Additional methods has "server" in it's names for the same reason why "ENGINE_load_ssl_client_cert" has "client" in it. ENGINE_load_server_certificate() intended to work in pair with ENGINE_load_private_key() to allow engine to load certificate correspondent to it's private key.And present obtained certificate to client during SSL handshake. That it. You can always get required EVP_PKEY keys from loaded X509 structure.But I can't get why you may need certificate chain for your certificate if you are server. Andrey
Re: [openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.
Andrey Kulikov via RT wrote: Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. [SNIP] After applying this patch s_server will accept "-certform ENGINE" option. This patch supplied by Stonesoft Corporation, who give me permission to supply it to OpenSSL. Feel free to contact with me with any related questions. Andrey. No idea why patch use "server" in method names. As the STORE it not available yet (enable in 0.98 but experimental in 1+ ?!). I vote for a simple temporary solution too ( http://www.stacken.kth.se/lists/heimdal-discuss/2005-04/msg4.html ) I prefer more generic method similar to ENGINE_load_ssl_client_cert, i.e. I need EVP keys, corresponding certificates and the certificate chain. Of course engine ssl-cert method could be modified if SSL context is null to return above but current search criteria is limitation. Roumen __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.
Andrey Kulikov via RT wrote: > Hello, > > Please find file attached: server_cert_from_engine4.patch > This is a patch to allow loading server SSL certificate by ENGINE. > > [SNIP] > > After applying this patch s_server will accept "-certform ENGINE" option. > > This patch supplied by Stonesoft Corporation, who give me permission to > supply it to OpenSSL. > > Feel free to contact with me with any related questions. > > Andrey. > No idea why patch use "server" in method names. As the STORE it not available yet (enable in 0.98 but experimental in 1+ ?!). I vote for a simple temporary solution too ( http://www.stacken.kth.se/lists/heimdal-discuss/2005-04/msg4.html ) I prefer more generic method similar to ENGINE_load_ssl_client_cert, i.e. I need EVP keys, corresponding certificates and the certificate chain. Of course engine ssl-cert method could be modified if SSL context is null to return above but current search criteria is limitation. Roumen __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.
Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. Currently OpenSSL allows loading certificate only from a file. Loading by specific engine is required for hardware-based engines, which used their own certificate storages, as well as any Microsoft CAPI-based CSP. Although there is no such engines implemented for OpenSSL yet, sooner it will. Affected files: apps/apps.c apps/s_server.c crypto/engine/engine.h crypto/engine/eng_int.h crypto/engine/eng_pkey.c Patch created using this command: diff -rupN openssl-1.0.0d/ openssl-1.0.0d-engine-srv-cert/ > server_cert_from_engine4.patch To apply pach use follwing command in current OpenSSL root dev. directory: patch -p1 -l -u -b -i server_cert_from_engine4.patch After applying this patch s_server will accept "-certform ENGINE" option. This patch supplied by Stonesoft Corporation, who give me permission to supply it to OpenSSL. Feel free to contact with me with any related questions. Andrey. Hello,Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE.Currently OpenSSL allows loading certificate only from a file.Loading by specific engine is required for hardware-based engines, which used their own certificate storages, as well as any Microsoft CAPI-based CSP. Although there is no such engines implemented for OpenSSL yet, sooner it will.Affected files:apps/apps.capps/s_server.ccrypto/engine/engine.hcrypto/engine/eng_int.hcrypto/engine/eng_pkey.c Patch created using this command:diff -rupN openssl-1.0.0d/ openssl-1.0.0d-engine-srv-cert/ > server_cert_from_engine4.patchTo apply pach use follwing command in current OpenSSL root dev. directory: patch -p1 -l -u -b -i server_cert_from_engine4.patchAfter applying this patch s_server will accept "-certform ENGINE" option.This patch supplied by Stonesoft Corporation, who give me permission to supply it to OpenSSL. Feel free to contact with me with any related questions.Andrey. server_cert_from_engine4.patch Description: Binary data
